Win32.Netsky.S@mm( Win32/Netsky.S@mm (RAV), I-Worm.NetSky.t (KAV), W32/Netsky.S.worm (Panda) )
SYMPTOMS: resence of EasyAV.exe in %SystemRoot% (e.g. C:\Windows) folder and in processes list.Presence of uinmzertinmds.opm in %SystemRoot% (e.g. C:\Windows) folder containing a block of ascii characters wich represent a base64 encoding of the worm. Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "EasyAV" pointing to "%SystemRoot%\EasyAV.exe". TECHNICAL DESCRIPTION: The worm spreads via email and infects by executing the attachment.It was written in C++, compiled using VC6, packed and encrypted. When run it first checks a mutex named Protect_USUkUyUnUeUtU_Mutex to avoid reinfection of the system. It also creates a second mutex named SyncMutex_USUkUyUnUeUtU which is used by another copy of the worm in order to keep it active if someone tries to remove the worm. Then it copies itself to %SystemRoot%\EasyAV.exe and creates a file called uinmzertinmds.opm in which it encodes a copy of self in base64 data type. The second file will be used later at sending emails by appending it to the email text as attachment data. Most of the strings used by the worm are encrypted using a translation table for A-Z and a-z characters. It searches drives from C: through Z: but skipping DVD/CD-ROM drives in specific file types for suitable email addresses, but only up to 32485 (0x7ee5) addresses. These email addresses are checked to be valid on different hardcoded servers by Mail eXcahnge look-ups. They must also not contain certain strings. The subject and body message are chosen randomly or crafted from a very long hard-coded list of strings. It also creates a thread which gives backdoor capabilities to the worm by opening and listening on port 6789. When an attacker sends a file on this port the worm will save it as Rand.exe and execute it, where Rand is a random number in the range 0-32767. From April 7 2004 the worm resends emails to harvested addresses disregarding the fact that it has been already sent to those addresses; between April 14 and 16 2004 the virus stops sending itself. After that it starts spreading again. From April 14 to 23 2004 the worm creates a new thread which attempts DoS attacks on the following sites: www.cracks.am www.emule.de www.freemule.net www.kazaa.com www.keygen.us Removal instructions: Manual removal:* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP * use End Process in Processes tab on all EasyAV.exe * open Registry Editor typing [WIN]+[R]regedit[ENTER] * remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\easyAV registry key * delete %SystemRoot%\EasyAV.exe and %SystemRoot%\uinmzertinmds.opm Automatic removal: let BitDefender disinfect infected files ANALYZED BY: Mircea Ciubotariu BitDefender Virus Researcher |